Re: Problem with start of auditd on 2.6.13-2smp machine

From: Steve Grubb <sgrubb redhat com>

To: linux-audit redhat com

Cc:

Subject: Re: Problem with start of auditd on 2.6.13-2smp machine

Date: Tue, 10 Jan 2006 13:28:59 -0500

On Tuesday 10 January 2006 12:44, Lisa Giacchetti wrote:
> I have a redhat enterprise linux 4 update 1 based system running
> 2.6.13-2smp kernel with audit-1.0.3-6.EL4 and audit-libs-1.0.3-6.EL4
> installed.
That kernel does not sound like a RHEL4 kernel. The RHEL4 kernel carries all
the patches that the kernel needs for the audit system to work.
> The problem is that when I start auditd I get this error:
>
> [root cmsstor02 etc]# /etc/init.d/auditd start
> Starting auditd: [ OK ]
> Error receiving watch list (Invalid argument)
> There was an error in line 5 of /etc/audit.rules
Non-RHEL4 kernels do not have the right patch for file system auditing. When
it was sent upstream, there was some consolidation with inotify suggested
before acceptance. That work is still in progress. So...no kernel except the
RHEL4 kernel really has the file system auditing at this point.
> auditd actually starts but I am concerned that the -D
> option (which is what is on line 5 of /etc/audit.rules)
> is not being recognized or honored.
If you do not need file system auditing, then you can safely ignore this. If
you do need it, you need to change kernels.
> I see that newer versions of the audit rpm may have fixed this
That one is older.
> "* Thu May 26 2005 Steve Grubb <sgrubb redhat com> 0.9-1
> - Translate numeric info to human readable for ausearch output
> - add '-if' option to ausearch to select input file
> - add '-c' option to ausearch to allow searching by comm field
> - init script now deletes all rules when daemon stops
> - Make auditctl display perms correctly in watch listings
> *** - Make auditctl -D remove all watches"
>
> but I do not have the glibc-kernheaders needed. Mine
> are glibc-kernheaders-2.4-9.1.87 and audit-1.0.1201 needs
> glibc-kernheaders>=2.4-9.1.95.
We ship all the right pieces so that RHEL4 stuff is coordinated with itself
and FC4 is coordinated with itself. 1.0.12 will be released with U3 update,
but it will not solve the problem you are reporting.
-Steve